Black Hat And The Jedi Force
Page 1 of 1
Reporter's Notebook: LAS VEGAS -- Sometimes you don't need high tech to circumvent high tech.
At this year's Black Hat security conference here, the usual array of high-tech methods were discussed to attack systems. There was also discussion of what I would consider to be a lot of low-tech ways to attack systems and security.
Johnny Long, the author of numerous security books and self described ninja, hacker and descendant of the pirate Captain Morgan (yeah the Rum pirate), is perhaps the epitome of the low-tech hacker. In an overflow capacity crowd presentation, he delivered what had to be the highlight of the conference with a raucous presentation on no-tech hacking.
Long, who also goes by the name Johnny I Hack Stuff, walked the audience through a series of techniques to do things such as look at pictures of cars in a parking lot to determine things about the vehicles' owners. Long also got a few laughs when he described how he went dumpster diving to find things. The not so funny part is the fact that he found Social Security numbers and personal health information.
Perhaps most surprisingly, Long was able to demonstrate that not only was he a hacker, but also a Jedi. The Jedi wave, that is the scene from the original Star Wars film in which Obi-Wan Kenobi waves his hand in front of an Imperial Stormtrooper and gets them to let him by. (These aren't the droids you're looking for. You can go about your business. Move along. Move along).
In Long's case he duplicated an AT&T name badge and simply waved it in front of people at various locations to get access to buildings.
Now that's low-tech hacking.
Though Long certainly got the most laughs for his no-tech hacking approach, other seemingly low-tech approaches to hacking got a lot of mention this year. The simple act of timing, or measuring the time it takes for an action to occur, is perhaps one of the simplest forms of hacking.
Several presenters demonstrated that, by timing actions, they could determine whether users or accounts were valid. Timing attacks also plays a role in injection-type attacks: By simply noticing a time delay a hacker may well find something that is exploitable.
Fuzzing got its time, too, with an entire track dedicated to it and multiple vendors announcing fuzzing tools.
Fuzzing is just an automated script throwing what can accurately be referred to as garbage input against an application to see what happens. It's not terribly elaborate, but the results that fuzzing yields, according to many at Black Hat, are incredibly valuable. The much-hyped iPhone vulnerability was discovered, according to the researcher that reported it, by fuzzing.
There is a good reason why low tech approaches work. Brad Hill a researcher with iSecpartners, noted in his presentation on XML security that complexity is the enemy of security. It's a lesson that applies both to those that are looking at securing things, as well as those that are looking at bypassing security.
Fundamentally for hackers it's all about being aware of what is in front of you and noticing things that others don't. By noticing what is obvious if you're looking for it, you can get around seemingly secure items with relative ease.
That was the lesson that Johnny Long tried to impart with his humor and that other presenters touched on with their more technical approaches. It's a lesson that should be taken very seriously.
Sean Michael Kerner is a senior editor for internetnews.com.